Consent receipts and records
A delegation receipt screen that renders the machine-readable consent record as a plain-language summary of scope, parties, temporal bounds, and an action log.
As agents act asynchronously and at scale, a citizen needs durable proof of what was authorized as against what was done, long after the moment of consent. Every party needs a record of what was consented to, when, by whom, and under what conditions, that the agency receiving the agent's requests can verify.
After a delegation has been used, a relying agency and the citizen both need to verify its scope, the parties, and its temporal bounds, and to tell what was authorized apart from what the agent actually did.
Machine-readable records are invisible to users unless surfaced through an accessible interface. Every delegation receipt must have a human-readable rendering (plain-language summary), available in multiple formats (web, PDF, email, SMS summary) and in the citizen's preferred language. Citizens must be able to request a complete record of all actions taken under a delegation in accessible format.
The consent lifecycle, from collection through to withdrawal, is rendered as a timeline the citizen can read, with a 'download record' action that produces the receipt in several formats.
No surface has been built yet; the approach above is the brief for one.
- Established Headline
For recording consent in a durable, machine-readable form.
- Emerging
As built systems that a relying agency can verify after the fact.
Kantara Initiative Consent Receipt Specification. Defines a JSON-based record containing transactional information (timestamp, receipt ID), PII Controller contact details, PII Principal information, links to privacy policies, description of data collected, purposes for collection, and processing details. The specification has been referenced in ISO/IEC 29184:2020 (Online privacy notices and consent).
ISO/IEC TS 27560:2023 — Consent record information structure. Provides guidance for creating machine-readable consent records and consent receipts covering the full lifecycle: collection, storage, retrieval, modification, and withdrawal of consent. Works alongside ISO/IEC 29184:2020, which handles the human-readable representation.
Consent receipts are directly applicable to agent delegation records. A "delegation
receipt" would extend the consent receipt model with: delegation scope (the specific
actions and services authorized, using RAR-style authorization_details); delegate
identity (the agent operator and, where possible, the specific agent instance); delegator
identity (bound to a verified digital identity); temporal bounds (start time, expiry,
renewal conditions); a revocation mechanism (how to revoke, and what happens to in-flight
transactions); and an audit trail of actions taken under the delegation.
The ISO/IEC 27560 lifecycle model (collect, store, retrieve, modify, withdraw) maps well to a delegation lifecycle. The gap: neither standard contemplates a non-human delegate or the provenance chain needed to prove an agent acted within its delegated authority.
Without a durable record, a citizen cannot prove what an agent was authorized to do versus what it actually did. A verifiable receipt of exactly what was authorized, and what was done under it, gives the citizen the evidence to contest an action taken outside its granted scope.